home

windows defender.exe

The application windows defender.exe has been detected as a potentially unwanted program by 19 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from callfor.info. While running, it connects to the Internet address static.243.47.9.176.clients.your-server.de on port 45550.
MD5:
3467abc9acb1a1ae3f5322e2d4f7a5f8

SHA-1:
5078c68b1928a616d32d83265ba989d6f8ea0841

SHA-256:
1df24718fe0b336a20518fa60928b6cbd3df5324403899b9729e8cfece7416d3

Scanner detections:
19 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/16/2024 12:58:10 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.BitCoinMiner
7.1.1

avast!
Win64:Rootkit-gen [Rtk]
2014.9-150824

AVG
BitCoinMiner.D
2016.0.3008

Bitdefender
Trojan.Generic.11649192
1.0.20.1470

Clam AntiVirus
Win.Trojan.Bitcoinminer-81
0.98/20836

Dr.Web
hacktool program Tool.BtcMine.420
9.0.1.05190

ESET NOD32
Win64/BitCoinMiner.U potentially unsafe application
7.0.302.0

G Data
Win64.Riskware.BitCoinMiner
15.8.25

herdProtect (fuzzy)
variant of 806779989c6ea355a1abf4f6c7cb646c.exe
2015.10.21.3

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.183.13451

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
14.0.0.1533

Malwarebytes
Riskware.BitcoinMiner
v2015.10.21.03

McAfee
RDN/Generic PUP.x!cmq
5600.6606

MicroWorld eScan
Trojan.Generic.11649192
16.0.0.882

nProtect
Trojan.Generic.11649192
14.09.22.01

Sophos
PUA 'Internet Download Manager - Miner'
5.15

Trend Micro House Call
TROJ_GEN.R047C0OHO14
7.2.294

Zillya! Antivirus
Tool.BitCoinMiner.Win64.3
2.0.0.2368

File size:
504 KB (516,096 bytes)

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\windows\sys\windows defender.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.24

CTPH (ssdeep):
12288:ZVOEGAlH4s/FFRf725x8zHWt2/BSvHLWq1blj/UY0nTRCgu:ZVfHX/FFRzJjc2/4vrWq1RAYyTI

Entry address:
0x1500

Entry point:
48, 83, EC, 28, 48, 8B, 05, 15, 3A, 07, 00, C7, 00, 00, 00, 00, 00, E8, 6A, 95, 05, 00, E8, 95, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 83, EC, 38, 4C, 89, 4C, 24, 58, 4C, 8D, 4C, 24, 58, 4C, 89, 4C, 24, 28, E8, D8, 9E, 05, 00, 48, 83, C4, 38, C3, 0F, 1F, 00, 56, 53, 48, 83, EC, 28, 48, 85, C9, 74, 75, 83, 39, 01, 48, 89, CB, 74, 3D, 66, 66, 66, 66, 2E, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 89, D9, 48, C7, 03, 00, 00, 00, 00, 48, C7, 43, 08, 00, 00...
 
[+]

Code size:
388 KB (397,312 bytes)

The file windows defender.exe has been seen being distributed by the following URL.

http://callfor.info/Windows Defender.exe

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to static.78.147.9.176.clients.your-server.de  (176.9.147.78:45560)

TCP:
Connects to static.243.47.9.176.clients.your-server.de  (176.9.47.243:45550)

Remove windows defender.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.